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Introduction 


© Why should you care about Cyber Security? 

O What is it? 

O Why does Privacy matter and how does it relate to Cyber Security? 
O Where do | start with Cyber Security? 

© What should you do when your Cyber Security is compromised? 
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Why should you care about Cyber Security? 


O Protect yourself from: 
e Project / program failure 
e Embarrassment & reputational damage 


e Legal repercussions for Privacy breaches 
e Federal: PIPEDA, Office of the Privacy Commissioner (OPC) 
e Provincial Privacy Legislation, Privacy Commissioners 
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What is Cyber Security? 
Definition of cybersecurity: measures taken to protect a computer or 
computer system (as on the Internet) against unauthorized access or 
attack. (Merriam-Webster Dictionary) 
O The set of technical and operational measures owners must deploy | 
to ensure that their systems are adequately protected from hostile or 
malicious actors and from accidents/errors. 


© “Adequate protection” depends on what is being protected... 
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Information as an Asset 


-© Assets are traditionally seen as physical things. Information is also 
an asset with unique characteristics: 
e Can be “stolen” yet remain in place 
e Can be modified or corrupted on a large scale with little indication 
e Can be held hostage while still in your possession 
© 


Unlike physical assets, IT systems can typically be accessed locally or 
remotely, so your information can both be compromised by an insider threat or 
without the perpetrator even being on the same continent 
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Information Security - Types of Injury 


O Confidentiality 
e How sensitive is the data? 
° ni any Personally Identifiable Information (PII) or Personal Health Information 
PHI)? 
© Integrity 
e What are the consequences of data errors, manipulation, or corruption? 
© Availability 
e How long can you go without your data? 
e What are the consequences of permanently losing your data? 
O Privacy 


e What are the legal requirements for consent, usage, and disposal? 
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Threat Actors - Deliberate 


© Who cares about your data (besides you)? 
e Organized Crime 
e ID theft, financial theft, ransomware 
e Nation States 
e Espionage, IP theft, commercial advantage 
e Commercial Espionage 
e Commercial advantage, IP theft, embarrassment & loss of trust 
e Hackers | 
+ Bragging rights, social activism, grudge, financial gain 
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Threat Actors - Accidental or Natural 


While not necessarily directed at you, your IT still needs to deal with 
Accidental or Natural threats. 


© Accidental 


e Power failures, back-hoes cutting power/communications cables, equipment 
failures, misconfigurations... 


O Natural 


e Tornadoes, floods, fires, ice storms... 
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Cyber Security - Threat Surfaces 


_ Business — 
Processes 
Information 
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Limiting Threat Surfaces 


© Personnel Security 
e Personnel vetting, trustworthiness to counter the “insider threat” 
O Physical Security 


e Locked doors, security guards and services, fire prevention and barred 
windows 


O Logical Security 
e Technical security measures in place to protect IT systems 
O Supply Chain Security 


e Ensure that products and services are procured from trustworthy suppliers 
e Talk to your suppliers/partners about their supply chain processes 
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Privacy and Cyber Security 


The ultimate authorities on privacy in Canada are the Office of the 
Privacy Commissioner and their provincial counterparts. Canadian 
privacy laws such as: 


© The Personal Information Protection and Electronic Documents Act 
(PIPEDA) 


O The Privacy Act 
O Provincial privacy laws 


… seek to establish reasonable standards for the collection, protection, 
use and destruction of private information. 
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Privacy and Cyber Security 


PIPEDA defines 10 Privacy Principles. In terms of Cyber Security, we are 
mostly interested in 7 - Safeguards: 


oF 


_6-Accuracy | 


#2 7 - Safeguards 


ere 


4 - Limiting Collection 9 - Individual Access 


5 - Limiting Use, Disclosure, and Retention 10- Challenging Compliance 
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PIPEDA Fair Information Principle 7 - Safeguards 
O Your responsibilities under PIPEDA: 
e Comply with all 10 of the principles of Schedule 1. 


e Protect personal information against loss or theft. 


e Safeguard the information from unauthorized access, disclosure, copying, use 
or modification. 


e Protect personal information regardless of the format in which it is held. 


In this sense, your Cyber Security mechanisms will provide the tools by 
which you will meet these safeguarding responsibilities. 
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Provincial Privacy Requirements 
© Provincial PII/PHI Statutes 


British Columbia’s Personal Information Protection Act. 
Alberta’s Personal Information Protection Act 


Québec’s An Act Respecting the Protection of Personal Information in the Private 
Sector. 

Ontario’s Personal Health Information Protection Act, with respect to health 
information custodians. | 
New Brunswick's Personal Health Information Privacy and Access Act, with respect 
to personal health information custodians. 

Nova Scotia’s Personal Health Information Act, with respect to health information 
custodians. 

Newfoundland and Labrador's Personal Health Information Act, with respect to 
health information custodians. 


© PIPIDA applies in the absence of Provincial Legislation 
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Where do | start with Cyber Security? 

IT systems can vary widely in both capability and injury level, but 
generally Cyber Security activities should start with: 

O Identifying your data assets 

O Identifying potential injuries to them 


O Assessing threats and vulnerabilities to determine réel Cyber 
Security measures 


O Calculating exposure (Residual Risk) 


There are formalized mechanisms for this such as the CSE and RCMP’s 
Harmonized Threat and Risk Assessment process. 
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Risk Assessments - How exposed are you? 
O Threat-Risk Assessment (TRA) 


e Assesses (realistic) threats and vulnerabilities, calculates exposure (Residual 
Risk) 
e Typically contracted out to a Security Practitioner 
e ATRA often feeds into a PIA | 
© Privacy Impact Assessment (PIA) Mandated for Federal Departments © 


e Privacy Impact Assessments (PIAs) are used to identify the potential privacy 
risks of new or redesigned federal government programs or services. They alse 
help eliminate or reduce those risks to an acceptable level. 
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Privacy Impact Assessment (PIA) 


O APIA is designed to accomplish three goals: 


e Ensure conformance with applicable legal, regulatory, and policy requirements 
for privacy 


e Determine the risks and effects of collecting PII/PHI 


=œ Evaluate protections and alternative processes to mitigate potential privacy 
risks 
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What should you do when your Cyber Security is 
compromised? 


O Despite your best efforts to secure your data, you have to be 
prepared to act if it is compromised. 

| e Do you and your employees have clearly defined roles in case of a 

compromise? 
e Do you have any means to monitor your systems to detect a compromise? 
e Do you have a clear set of operational procedures to follow in case of a 

compromise, including points of contact? 

e Do you have a disaster recovery plan in place? 
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What Sort of Bad Stuff is Out There? 
© DDOS 


e Canadian Government Websites 
O Ransomware (Wannacry) 
e Midland & Wasaga Beach ON 
O Intellectual Property Theft/Competitive Advantage 
e NRC/Potash Corporation 
O Private Health Data Theft: 
e CarePartners privacy breach - Thousands of patient records stolen 


O Insider Threat by Pisgruntied Employees 


e San Francisco 
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Prevention & Detection 


O Use supported software & apply security patches 


© Harden your system 
e Center for Internet Security (CIS) baseline 
= @ Microsoft Security Baseline 
_e PCI-DSS 
e NIST Cyber Security Framework Small and Medium Business Resources 
© Monitor your system 
e SIEM log processor 
e Antivirus 
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Prevention & Detection (Continued...) 


O Leverage commercial providers if you lack in-house resources 
O Engage a Security Professional 


O For larger systems, design and assess your system against 
recognized standards: 
e ISO 27001, NIST 800-53, ITSG-33, NIST Cyber Security Framework 
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Considerations for Large Data Sets 


Many Smart Cities projects are grappling with how to handle large data 

sets, often containing Personal Information. Some things to consider: 

© If you are storing the data yourself, physical and logical access 
control, backup, encryption and scalability will need to be addressed. 

© Managed service providers (including cloud service providers) can 
address many of these issues for you, but pay attention to privacy 
laws with respect to data residency as well as cost. 

© Data anonymization, the process of removing identity data to allow 
sharing of large data sets, is a complex and difficult process. Seek 
out expertize if this is outside of your skill set. 
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Considerations for Large Data Sets (Continued...) 
O Aggregation - is the collection more than the sum of the parts? 
O PII - raises the stakes 
O Storage - Who has access? Where is it stored? 
O Backup - it is being done, right? Who and where? 
O Sharing - do you need to share your data? With who? Why? 
O Authorized Access - do you know who's accessing your data? 
O Citizen Access for PII/PHI - by law: view, modify, correct, remove 
O Consider leveraging Commercial Services (such as Cloud) 


©. Communications Centre de la sécurité : 
= Security Establishment des lélécommunitations : 


Processed under the provisions of the Access to Page 23 of 29 
Information Act /Révisé en vertu de la Loi sur l'accés 
a l'information 


Classification: UNCLASSIFIED 


Incident Response 


O Have a plan, and test it periodically 

O Isolate the system to contain the breach 

© Decide how to proceed - remediate or prosecute? 
O Contact CCCS/RCMP 

© Commercial IR services 

O What needs to be fixed to prevent a reoccurrence? 
© Where’s your backup? 
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Incident Response and Recent Changes to PIPEDA 


As of November 1, 2018, organizations subject to The Personal 
Information Protection and Electronic Documents Act (PIPEDA) will be 
required to: 

-© Report to the Privacy Commissioner of Canada breaches of security 
safeguards involving personal information that pose a real risk of 
significant harm to individuals; | 

O Notify affected individuals about those breaches, and; 


O Keep records of all breaches. 
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Wrap Up 
© Cyber Security is a constantly evolving landscape, putting together a 
solid cyber security foundation is essential 


O Consider the legal, reputational, program implications for Cyber 
Security failures 


O Consider engaging professional help in areas outside of your 
expertise 


O The Internet is a very hostile place, so make plans to secure your 


systems from day one, but expect breach and be prepared to respond 
and recover 
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Contacts 
© Canadian Centre for Cyber Security: 


e Email: contact@cyber.gc.ca 
Toll Free: 1-833-CYBER-88 (1-833-292-3788) 


Local: 613-949-7048 


O There are many Cyber Security resources available at: 
e https://cyber.gc.ca/en/ 
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Helpful Links 


© PIPEDA Principles 
e https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and- 
electronic-documents-act-pipeda/p_principle/ 
© Harmonized Threat and Risk Assessment: 
e https://www.cse-cst.gc.ca/en/system/files/pdf_documents/tra-emr-1-e.pdf 
© Incident Examples: 


e tt) SO tester con news/Canada/ AIS UF IdAcanadlal-goveM ment wedsite =i witipmas sive 
_ outage.ntm 


e https://barrie.ctvnews.ca/first-wasaga-beach-now-midland-hit-by-cyber-attack-1.4079698 


e https://business.financialpost.com/technology/canada-must-ramp-up-cyber-security-in-wake-of-china-led- 
attacks-experts-say 


e https://www.carepartners.ca/Privacy-Breach-Update.htm 
e https://www.wired.com/2008/07/insider-tech-at/ 
© Cyber Security Guidance for Smaller Organizations: 
è  https://www.nist.gov/cyberframework/small-and-medium-business-resources 
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